Istio - namespace-level access control is applied to only a single value in the list

8/13/2019

I'm running Istio 1.2.3 in a GKE environment. I've set up the sock-shop demo-application, and am trying to configure HTTP authorization on namespace-level. I've enabled istio's RBAC, and am running the following Servicerole:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: service-viewer
  namespace: default
spec:
  rules:
  - services: ["*"]
    methods: ["GET"]
    constraints:
    - key: "destination.labels[name]"
      values: ["front-end", "catalogue", "catalogue-db", "carts", "carts-db", "queue-master", "rabbitmq", "orders", "orders-db"]

and the following ServiceRoleBinding:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: bind-service-viewer
  namespace: default
spec:
  subjects:
  - properties:
      source.namespace: "istio-system"
  - properties:
      source.namespace: "default"
  roleRef:
    kind: ServiceRole
    name: "service-viewer"

the sock-shop has been deployed in the default namespace, whereas istio, as usual, is deployed in the istio-system namespace.

However, when i connect to the website, only the front-end loads. The front-end is supposed to fetch the catalogue and carts pages. However, as seen in kiali, 100% of the traffic going from the front-end to catalogue and carts ends with a 5xx response code. If i remove istio's RBAC, traffic flows succesfully.

-- Patrick Weyn
google-kubernetes-engine
istio
rbac

0 Answers